Everything about security

We are doing an project for a school competition in which we need to use a Raspberry Pi to make an IOT prototype. We received SD cards from the professor, and because we lost ours we asked another group to give us a copy of their card, I know it’s been modified because the original hash doesn’t match. Could you please investigate and tell me if everything is ok? Here is some parts of the file system:

return'Congr4ts, you found the [email protected] The fl4g is simply : {}:{}'.format(user,pincode)

returnabort(404)

app=Flask(__name__)

@app.route('/')

defhello():

return'<h1>HOME</h1>'

@app.route('/backdoor')

defbackdoor():

user=request.args.get('user')

pincode=request.args.get('pincode')

returncheck_creds(user,pincode)

if__name__=='__main__':

app.run(threaded=True,host='0.0.0.0',port=3333)

It is a web application created with Flask which runs on the port 3333. However, this application has a hidden interface at /backdoor page. This page requires username and pincode to grant access. It says our flag is the correct username and pincode in the format username:pincode. In addition, the sha256 hash of the flag (username:pincode) is 34c05015de48ef10309963543b4a347b5d3d20bbe2ed462cf226b1cc8fff222e. We already have the username which is b4ckd00r_us3r. We know that pincode is consist of digits only and its length is less than or equal to 8 digits. Thus, we can brute force the pincode in a short amount of time.